2018-11-05 DarkComet Malspam

Here is a quick writeup of some DarkComet RAT malspam that I was able to find this morning. The infection method is leveraging the standard RTF buffer overflow technique (CVE-2017-11882). For more information about what DarkComet is, please see the following link:

All artifacts can be found over at my Github repo located here. I also have the memory dump post-infection saved here since it is too large for GitHub. Plus it gives me (and others) the ability to play with some memory forensics via Volatility. 😎

which got written to the disk as “outlooks.exe” located in the “C:\Users\%username%\AppData\Roaming” folder. I then see the “outlooks.exe” process open a command prompt (which actually did pop-up on my screen – I did not get enough time to screen capture it). This prompt was due to the batch file called “fud.bat” located in the “C:\Users\%username%\AppData\Local\Temp\RarSFX1” folder being executed. This proceeded to start running an auto-extracting WinRAR file that had the password of ‘125’ (the use of the -p switch in the command line) which proceeded to extract the new file (fredi.exe) to “C:\Users\%username%\AppData\Local\Temp\RarSFX1.” Once this new process was started, it proceeded to write a new file called “msdcsc.exe” to the “C:\Users\%username%\Documents\MSDCSC” path. It is this process that is responsible for the callbacks to the C2 located at 23[.]227[.]201[.]154:1604 using some kind of encryption/encoding.

The callbacks to the C2, I believe, are the things that got written to the “2018-11-05.dc” file located in the “C:\Users\%username%\AppData\Roaming\dclogs” folder. Initially the file was pretty empty, but as I started to type and do things within the VM it started to write that stuff to the file.

Persistance is maintained using a pointer in the registry (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) pointing to the “msdcsc.exe” folder.